Skip to main content

12.1.10 Checking the Audit Log


12.1.10 Checking the Audit Log
The audit log is collected when the audit function is used in these systems. Use the viewaudit command to refer to the audit log.
Operation Procedure
  1. Execute the viewaudit command on the XSCF shell.
    The following example displays all audit records.
XSCF> viewaudit
file,1,2012-04-26 21:37:25.626
+00:00,20120426213725.0000000000.SCF-4-0
header,20,1,audit - start,0.0.0.0,2012-04-26 21:37:25.660 +00:00
header,43,1,authenticate,0.0.0.0,2012-04-26 22:01:28.902 +00:00
authentication,failure,,unknown user,telnet 27652 0.0.197.33
header,37,1,login - telnet,0.0.0.0,2012-04-26 22:02:26.459 +00:00
subject,1,opl,normal,telnet 50466 10.18.108.4
header,78,1,command - setprivileges,0.0.0.0,2012-04-26
22:02:43.246
+00:00
subject,1,opl,normal,telnet 50466 10.18.108.4
command,setprivileges,opl,useradm
platform access,granted
return,0
  1. As shown in the above example, records are displayed in text format by default. One token is displayed per line, with a comma as the field delimiter character.

    The token types and their fields are shown in Table 12-6 (in the display order).
Table 12-6  Token Types and Their Fields (in the Display Order)
Token Type Field (Display Order)
File Token Label, version, time, file name
Header Token Label, record byte count, version, event type, machine address, time (event recording time)
Subject Token Label, audit session ID, UID, mode of operation, terminal type, remote IP address, remote port
Upriv Token Label, success/failure
Udpriv Token Label, success/failure, user privilege, domain ID 1, ..., domain ID N
Command Token Label, command name, operand 1, ..., operand N
Authentication Token Label, authentication result, user name, message, terminal type, remote IP address, remote port
Return Token Label, return value
Text Token Label, text string
Note - Some fields might not be output depending on the environment.
  1. The main audit events and tokens are as follows:
  2. - Login telnet
    header
    subject
    text
    return
  3. - Login SSH
    Same as for Login telnet
  4. - Login BUI
    Same as for Login telnet
  5. - Logout
    Header
    Subject
  6. - Audit start
    Header
  7. - Audit stop
    Header
  8. - Shell command
    Header
    Subject
    Command
    Text
    Upriv | Updpriv
    Return
Note - Some tokens might not be output depending on the environment. Also, this information is subject to change without prior notice for functional improvement.
Note - For details of the log options, audit classes, and audit events of the viewaudit(8) command, see the man pages or the Fujitsu SPARC M12 and Fujitsu M10/SPARC M10 XSCF Reference Manual.